News of a Worm to Hurt WordPress is False

The WordPress Development Blog announced that a worm going through the online and web community will not harm WordPress sites, even though the rumor mill says it will. That is false. To a point.

There is news of a worm which uses a vulnerability in the PHPXMLRPC libraries to spread a computer virus. Some articles are pointing to out-of-date information claiming that WordPress 1.5 is vulnerable. That is incorrect. WordPress 1.5 or higher is safe. Since the release of version 1.5, WordPress has used a completely different XML-RPC library, called IXR.

The announcement goes on to explain that versions of WordPress prior to 1.5 are indeed vulnerable.

If you haven’t updated WordPress, do it now. At the least, follow the instructions in the announcement on how to protect your old WordPress sites.

Also, before spewing trash and panic over any rumors you hear about worms, viruses, or vulnerabilities, report them to the special WordPress Security contact page. This way the WordPress Developers can respond immediately to the issue, and they will let you know if this is a valid or invalid concern. For the most part, the developers of WordPress stay on top of these issues faster than you ever will, so let them know you have a concern and they will tell you if you have to worry or take action.